Please see the Election Integrity Homepage for complete coverage and the latest news.
The Democratic Party's Election Integrity Committee has been locking horns with Pima County over the security of the elections systems used in local elections. The result has been a protracted lawsuit that is trying to get access to public election records and answers to some fundamental security questions, a criminal investigation by the Attorney General's office into the actions of Pima County Division of Elections personnel, and a report issued by Chuck Huckelberry's office to the Board of Supervisors regarding election security and what his office is doing about it.
The issues in this dispute are somewhat detail-oriented, not terribly media-genic, and there are really a couple of areas of concern, not just one. The result of this sprawling and evolving set of facts is that the press doesn't do a very good job of informing the public about what the issues really are. Worse, the press' view that every story has two equally valid sides tends to allow some parties to the dispute to make wildly inaccurate and unsupported claims without the press really examining the facts underlying those claims. The result is that bullshit frequently doesn't get called on some folks who richly deserve to have their bullshit called.
I'm going to be taking a close look at some of the primary materials (the forensic report (PDF) the AG's office relied on, Huckelberry's report to the Pima Board, statements from the AG's office (PDF), and depositions from the pending lawsuit by the Democratic Party against Pima County (not online)) and try to distill the most important facts and issues so that you can understand what's really at stake in this controversy.
It's important to look at all this material together. If you only read Chuck Huckelberry's report to the Pima County Board of Supervisors on the election integrity controversy, for instance, you might get the impression that while there might have been some serious problems with election security in the past, there certainly wasn't any criminal behavior at all, and new security measures have put all such worries about the security of our elections to rest for good. Of course, that's exactly what CHuckelberry would have you believe.
GEMS and iBETA and Other Obscure Terms.
The heart of the matter is the security of the GEMS software that Pima County uses to tabulate votes. Election integrity activists noted discrepancies in the log files that were consistent with tampering with the vote and asked the Attorney General's office to take a look, since the Pima County Attorney's office had a conflict of interest because they are required to represent the County in the lawsuit.
During their investigation of these allegations of possible criminal tampering with the Regional Transportation Authority election, the Attorney General's office contracted with iBeta, a voting technology testing lab accredited by the U.S. Election Assistance Commission, for computer forensic services. Understanding iBeta's report is vital to gaging the appropriateness of subsequent government reactions, including Huckelberry's report.
I have some experience with computer forensics from my time at AOL with the Trojan horse and virus team, and from work defending clients against allegations of computer-based criminal activity. I don't claim to be an expert, but I can read a forensic analysis report. The key paragraphs of the iBeta report are astounding and deserve to be reproduced in full before commenting on them:
"During testing it was discovered that the GEMS software exhibits fundamental security flaws that make definitive validation of data impossible due to the ease of data and log manipulation from outside the GEMS software itself.
Ultimately, it is the determination of iBeta that the overwriting of the target file can be attributed to human error. iBeta arrives at the "human error" conclusion for two reasons:
1) iBeta was unable to detect any manipulation of the 051606 [editor - the RTA vote database] event data across the multiple copies of the data discovered.
2) The basis of the of the investigation is that there are log entries that point to tampering - but it is far easier to remove evidence of tampering from the logs that to actually tamper with the vote totals in the Microsoft Access database that the GEMS software uses. So it does not follow that someone with the knowledge to manipulate the GEMS data would neglect to alter the log file to remove the evidence of the manipulation."
You probably want to read that a few times. There are some startling statements and some interesting premises that we need to examine in those paragraphs.
"The GEMS software exhibits fundamental security flaws that make definitive validation of data impossible..." What this means is the GEMS software is not capable of providing any assurance that the data files have not been altered. There is no way to be sure that the data hasn't been changed. I'd say that providing such data security is a pretty fundamental function of voting software. GEMS can't provide even the most rudimentary level of security.
Unfortunately, that software has some quite serious security issues; in fact, it would fair to say that the software essentially has no security. Jim March, a board member of election integrity advocacy group Black Box Voting, demonstrates the software's profound vulnerability in this video:
The GEMS software was not designed for elections; it is general data capture and tabulation software that was retrofitted and marketed for this purpose. Because it wasn't built with security in mind, it is, quite simply, a security nightmare. It's fine software for many non-secure data compilation applications, but it is a miserable joke to use in when security and auditability is a primary concern.
You can essentially boot up MS Access and edit the data tables to alter all the voting data (the actual vote counts) and access logs (records of who accessed what and when) and leave no trace of your tampering. The GEMS software is fundamentally flawed and cannot be made secure, yet, as we shall see, Pima County continues to use it, and has no plans to stop using it, and is instead relying on a flurry of security procedure chaff that attempts to cover up the simple fact that the software they are using is worse than useless.
The conclusion that there was no tampering is essentially meaningless given that "definitive validation of data [is] impossible." This fundamental contradiction becomes apparent when iBeta gives the reasons for their conclusion. iBeta did not detect any manipulation, but that is to be expected, because there would be no evidence if someone tampered with the data and knew what they were doing. But because iBeta did see irregularities in the log, which would be easier to manipulate than the voting data itself, the irregularity must be due to human error, not tampering.
Did you get that? The data wasn't tampered with because a competent tamperer would not have left any evidence. There was some evidence, thus there must not have been any tampering. This is not computer forensics, it is amateur criminal profiling.
Is there any evidence of tampering? There are irregularities in the logs which could be consistent with rudimentary data tampering by overwriting files with new tampered data files. But rather than admit that there is no evidence that excludes the possibility of tampering (largely because the GEMS software is incapable to providing any degree of data security) iBeta concludes, based only on the fact that the evidence in the logs was not eliminated, that the discrepancies are due to user error. And if there were no evidence of tampering would they have concluded that the election data had been tampered with? Of course not.
So, how does the Attorney General characterize this damning report that concludes that GEMS is fundamentally flawed, and that evidence in the log files consistent with tampering is actually user error because a real tamperer wouldn't leave any evidence? "Attorney General Terry Goddard today announced that his office did not find evidence that anyone tampered with a Regional Transportation Authority election in Pima County last year." Really? I thought if there wasn't any evidence that would be evidence of tampering according to iBeta. I kid. But, the statement is clearly far too categorical. It isn't false, but it isn't accurate either.
The release goes on to say, "We did not find any evidence that the computer technician at the center of this case manipulated this election. However, the consultant's report reviewing the system did raise serious concerns about election security." Well, I suppose it's getting more accurate, but Goddard still hides behind the failure to find any positive evidence when, in fact, there is evidence of irregularities, but iBeta decided that it represented only user error and not an attempt to manipulate the vote. Goddard's statement also fails to mention just how fundamentally serious the security concerns are, or how they might be addressed. The most effective thing would be to immediately stop using fundamentally flawed software! Granted, Goddard's report does indicate that their "review did reveal election security weaknesses that need to be addressed by Pima County." Very diplomatic, but hardly it hardly speaks to point of assuring secure elections.
When it comes to the bottom line, however, the AG gets it dead wrong. The AG's statement claims that iBeta's testing "determined that no data was changed in this election." That is misleading to the point of simply being false. iBeta concluded that they could not determine if any voting data was changed because the software is fundamentally flawed. Not being able to tell is not the same thing as determining no data was changed. iBeta's ultimate, and in my view, specious judgment that the log discrepancies were due to user error has no bearing on whether any voting data was changed. iBeta's only relevant conclusion was that they wouldn't be able to tell if vote data was changed.
Another bone of contention in the Democratic Party's pending lawsuit against Pima County is a demand for disclosure of the actual voting data to the plaintiffs so that they can do their own forensic analysis; they've only had access to the logs, in which they also noted the same discrepancies that iBeta dismisses as user error. So far, the Democratic Party has had to take Pima County's word on anything to do with the actual data. The reason given is that state law requires governments to keep the program code of electronic voting vendors secret: cozy deal, huh?
Pima County claims that the data files with the voting data are part of the GEMS program and thus cannot be released. That's like claiming that your term paper is part of your word processing software. It's completely absurd. Huckelberry's report touches on this peculiar claim saying, "In fact, it is precisely because of our concerns for election security that we have opposed the release of electronic information databases on the grounds that such information is not only made confidential by law, but also because such release would make future elections more vulnerable to attack."
You know, CHuckelberry has a point here. If I was using software that had fundamental security flaws, I would want to keep it under wraps, too. Unfortunately, secrecy is one of the worst forms of security there is. It would serve the voters of Pima County, and the security of future elections, much better to just use software that wasn't fundamentally flawed. Then you wouldn't have to twist yourself in semantic knots trying to avoid releasing your data, because its release wouldn't make future elections vulnerable to attack.
Who's Got The Summary Reports?
Another issue at the heart of the case against Pima County Elections Division is that employees frequently ran summary reports which revealed the progress of races before the close of voting. Such a report, if accessed prior to the end of an election, would essentially be a hyper-accurate poll which could be used to influence the outcome of an election. Creating such a report is not a crime by itself, but sharing that report with anyone with the purpose of influencing an election would be.
Once a hard copy of such a summary report is created, it can become very difficult to account for it. Such reports could end up anywhere if not promptly destroyed. Was there evidence that such reports were systematically destroyed according to an established policy? No. Yet the AG's office nonetheless concluded that "Mr. Crane did not share with anyone the results from these summary reports," and concluded their investigation.
The Attorney General's investigation did not speak to relevant
witnesses like Robert Evans, supervisor of the Elections Division
warehouse, who helped run the equipment that generated these summary
reports, even though the lead investigator was told he would give
Under oath during his deposition by the Democratic Party, Mr. Evans had
lots of interesting things to say about those summary reports, all of
which directly contradicts what was told to the Attorney
General's investigators by the subjects of the inquiry.
The first thing we learn from Mr. Evans is that Bryan Crane, the IT supervisor who was the focus of the AG's inquiry, was not the only one to run summary reports, or to have access to them. Mitch Etter and Brad Nelson and Mary Martison (employees of the Pima County Elections Division) and Kathy Cuvelier (an Oro Valley city clerk employee) had all printed, caused to be printed, or had been given access to summary reports, according to the deposition of Mr. Evans. Did the AG's investigation consider all these folks? They only mention Bryan Crane.
Further, Mr. Evans testified that Mitch Etter and Brad Nelson would regularly remove those reports from the computer room in which they were generated, and he did not know what was done with them. Where did those reports end up? Were they destroyed? Shared with others? There are strong suggestions in Mr. Evan's testimony that those reports were, in fact, shared with interested parties, possibly the Oro Valley clerk's office or town council. Who else might have been interested in getting summary reports? Given that the printing of these reports, their removal from the counting room, and their possible sharing with outsiders was a regular occurrence over a number of years, the AG reports' acceptance that there reports were only used to double check results seems rather too trusting.
It doesn't seem that the AG's investigation gave any credence to information provided them by the Democratic Party and its counsel, or that those leads were even investigated. I don't wish to think that the investigation consisted merely of a cursory interviews with the principals in the Elections Division sufficient to create a report that accepts their testimony as gospel truth, avoiding any embarrassment for Pima County, while avoiding collection of any information from witnesses that might require further inquiry. I would like to know what happened to all those summary reports and whether they ended up in hands they weren't supposed to, but the AG's deferential investigation and its cherry-picked conclusions leave me far from convinced that what happened here was anything other than a convenient whitewash.
So What's the Big Deal?
The report that Pima County Administrator Chuck Huckelberry's office generated in response to this whole kerfuffle is a masterpiece of misdirection. It is laudable that the Elections Division has started looking seriously at the security of our elections, but that is their job, after all - one might wonder why it took a lawsuit by one of our political parties to get them off the dime. But the impressive litany of security measures that Huckelberry's report lays out is missing one very important bullet point: the GEMS software itself.
They are going to all sorts of extremes in electronically isolating equipment, enhancing access controls, installing video surveillance, upgrading their procedures to ensure that printed reports are dealt with appropriately and that observers have appropriate roles, and instituting new training. And Pima County is apparently willing to spend as much as $10 million on doing all this. That is all to the good, and, I might add, is all due to the pressure brought to bear on an arrogant and unresponsive bureaucracy by a tenacious pro bono trial attorney, Bill Risner, and a cadre of committed election integrity activists in the Democratic and Libertarian parties. All the voters in Pima County owe them a big thank you.
But the GEMS software itself, as iBeta's report makes so clear, is fundamentally flawed. It provides no data security at all. You can wrap a flawed system in as many layers of security as you like, but it remains a flawed system that is simply unsuitable for the conduct of elections. Huckelberry's report seems to recognize the problem: "Furthermore, iBeta stated that its testing revealed that the GEMS software exhibited "fundamental security flaws that make definitive validation of data impossible due to the ease of data and log manipulation." It is this finding that further strengthens our commitment to ongoing improved physical security as well as implementation of more checks and balances."
So close! It's right there in front of them: they need to address the software issue. But they instead draw the conclusion that they need 'physical security' and 'checks and balances'? Really? Wouldn't a real commitment to security include giving voters the assurance that their vote data could be definitively validated, so that a bozo with a copy of MS Access couldn't steal their democratic voice?
Instead they are clarifying admin rights on their computers, instituting dual passwords and ballot chain-of-custody procedures, enhancing records retention, and even running hash tests to validate the integrity of the GEMS software. We would be better off if they would simply trash GEMS and use software that is not fundamentally flawed. Why won't Brad Nelson and Chuck Huckelberry do that, when common sense so clearly points to this being the most crucial and most obvious security improvement?
I don't know.
Even speculation finds little purchase on that enigmatic nut. But if I had a way that I could secretly change the outcome of any election at my whim, with absolutely no way to detect that tampering because the software was fundamentally flawed, I have to wonder if I would want to give that up. I would hope that I would, but human nature being what it is, I don't think I could categorically say. I might build the walls around that system so high and secure that people could feel a little better about the gaping security black hole at thr center of my elections system, but I might not really want to give up the ability to nudge a number here or there.
Now, I wouldn't for a moment suggest that anyone in the Pima County government has such an improper and unworthy motive in continuing to insist on using the GEMS software, but I also couldn't blame anyone for arriving at this uncharitable conclusion, either.